AslpFileQueryVersionString is called from the AslpFileMakeStringVersionAttributes function. As you can see on the
code provided above the "crashloc" label is executed in a loop. Where the ESI register is the counter incremented
every cycle (address 0x000208B9) and the EDI register is the maximum number of allowed loop cycles (address 0x000208C3).
As you can see there is another condition that can end the loop (0x000208A7) which tests whether the wanted value was
found by the AslpFileVerQueryValue however it is always passed since ebx=STATUSNOT_FOUND (assuming forged PE file is used).

The value of EDI is taken from the PE file (resource section, Var->wValueLength [1] field) through the AslpFileVerQueryValue
function where the wanted sub-block argument is "\VarFileInfo\Translation" (Var identifiers are often used by applications to
access a language-specific StringTable structure in the version-information resource). Just like presented below:

Obtained maximum loops cycles value is later divided by 4 and supplied as an argument to the AslpFileQueryVersionString function
and later used as the loop limit. When attacker forges this value it is possible to cause access violation exception because
unavailable memory will be accessed (address 0x00020856). This happens because there are no boundary checks testing whether the
obtained data from the resource section is big enough to cover extra size provided by Var->wValueLength. This causes whole system to
crash and can be triggered remotely.